search

gobuster

Gobuster is a widely used tool for web enumeration, allowing security professionals and penetration testers to discover hidden directories, subdomains, and virtual hosts on web applications. This tool helps uncover critical information that could be leveraged in an attack simulation.

hashtag
Installing Gobuster

Gobuster is pre-installed on Kali Linux. If you need to install it manually, use the following command:

sudo apt install gobuster

hashtag
Using Gobuster for Web Enumeration

Gobuster provides multiple functionalities, including directory brute-forcing, subdomain enumeration, and virtual host discovery.

hashtag
Directory Enumeration

To discover hidden directories on a target website, use:

gobuster dir -u <URL> -w <WORDLIST> -t 64

Where:

  • -u <URL> specifies the target URL.

  • -w <WORDLIST> defines the wordlist used for brute-forcing.

  • -t 64 sets the number of concurrent threads (higher values increase speed but may cause server restrictions).

hashtag
Useful Wordlists

Kali Linux provides built-in wordlists for directory enumeration:

/usr/share/wordlists/dirbuster/
/usr/share/wordlists/dirb/

hashtag
Enumerating Files with Specific Extensions

To search for specific file extensions such as .html, .js, and .css, use:

For example:

hashtag
Subdomain Enumeration

Gobuster can also be used for subdomain enumeration:

Where:

  • -d <Domain> specifies the target domain.

  • -w <wordlist> defines the list of possible subdomains.

Example:

hashtag
Virtual Host Enumeration

Virtual host enumeration can be used to discover additional hostnames for a given domain:

Where:

  • --append-domain automatically appends the domain name to the wordlist entries.

  • --exclude-length 250-320 filters out responses with specific lengths.

Example:

PreviousWebNextdirb

Last updated